From 38f13aadc420a4ed16aa65c092df211432fb83cf Mon Sep 17 00:00:00 2001 From: auth12 <67507608+auth12@users.noreply.github.com> Date: Sun, 4 Jul 2021 01:24:58 +0100 Subject: replaced CreateRemoteThread --- sysmap/src/main.cpp | 2 ++ sysmap/src/mapper/process.h | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/sysmap/src/main.cpp b/sysmap/src/main.cpp index 871be35..4c73340 100644 --- a/sysmap/src/main.cpp +++ b/sysmap/src/main.cpp @@ -43,6 +43,8 @@ int main(int argc, char* argv[]) { g_syscalls.init(); + io::log("waiting for {}", args[0]); + process::process_x64_t proc; if (NT_SUCCESS(proc.attach(args[0]))) { io::log("attached!"); diff --git a/sysmap/src/mapper/process.h b/sysmap/src/mapper/process.h index 77f7185..9d6da35 100644 --- a/sysmap/src/mapper/process.h +++ b/sysmap/src/mapper/process.h @@ -154,7 +154,19 @@ namespace process { return ret; } - NTSTATUS close(HANDLE handle) { + NTSTATUS create_thread(uintptr_t start, HANDLE *out) { + static auto nt_create = g_syscalls.get("NtCreateThreadEx"); + + return nt_create(out, THREAD_ALL_ACCESS, nullptr, handle, reinterpret_cast(start), 0, 0x4, 0, 0, 0, 0); + } + + NTSTATUS wait(HANDLE h) { + static auto nt_wait = g_syscalls.get("NtWaitForSingleObject"); + + return nt_wait(h, false, nullptr); + } + + static NTSTATUS close(HANDLE handle) { static auto nt_close = g_syscalls.get("NtClose"); auto ret = nt_close(handle); @@ -448,7 +460,9 @@ namespace process { write(shellcode_base, shellcode.data(), shellcode.size()); - CreateRemoteThread(handle, 0, 0, (LPTHREAD_START_ROUTINE)shellcode_base, 0, 0, 0); + HANDLE thread_handle; + create_thread(shellcode_base, &thread_handle); + wait(thread_handle); io::log("mapped target image"); -- cgit v1.2.3